Seamless Campaign Leads to RIG EK at 92.222.48.83 and Drops Ramnit

The infection vector for this Ramnit compromise was RIG exploit kit. The user was redirected to the exploit kit via a malvertising chain using the Seamless campaign. The Seamless campaign has been dropping Ramnit for awhile now. You can read more about the Seamless campaign HERE.

The referer used for this infection was the Seamless gate at 194.58.40[.]252/signup1[.]php. The response from the gate included the following iframe:

The iframe contained the URL for the RIG exploit kit landing page.

Below is an image of some network traffic being filtered in Wireshark: